Sitecore admin folder anonymous access restrictions - authentication

Sitecore security hardening guide instructs to restrict access to /sitecore/admin folder by disabling anonymous access. However, after I do that, I get an IIS error when I try to visit pages like /sitecore/admin/cache.aspx.
HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers.
Should anonymous access only be disabled if I don't want to access admin pages?
My sitecore version is 6.6.0 (rev. 130404).

In addition to disabling anonymous access, you should make sure some sort of other authentication method is enabled. By default, IIS7+ doesn't have any other authentication methods available, so all traffic will get an "unauthorized" error. With another means of authentication enabled, IIS will let you access the /sitecore/admin path (at which point, Sitecore's authentication may kick in).
I've done this in the past by creating a local user on the machine and enabling basic auth. Keep in mind, basic auth is not too secure since credentials are passed over the wire as cleartext, but in this case we forced traffic over SSL.
Though not spelled out in the hardening guide, you could also look at limiting access to that directory by IP address. For example, on a production content delivery server, restrict access to only localhost, meaning you cannot browse that directory without being RDP'd to the server directly.

I think you should remove extranet/anonymous access, but make sure that sitecore/everybody (or other role) has access.
That way you can only access it while logged into Sitecore.
Use the Access Viewer to check that users have access to it.
And I think that those pages, have a Sitecore login now. I know /sitecore/admin/dbbrowser.aspx has one.

I would not disable the anonymous access unless it is the production environment. I am not sure how you have the environments setup but ideally cache clearance should be on your stage/uat environment.

Related

Apache Fallback Authentication from GSSAPI to Mellon

I have an Apache server where users authenticate to a website through Kerberos/GSSAPI (mod_auth_gssapi). In the event of a user attempting to visit the site externally (not available on the network ldap server), I would like to fallback to SAML authentication (mod_auth_mellon), but am having trouble figuring out if this is even possible. I am managing the config for this in httpd.conf. Both work independently of each other.
I have seen a number of suggestions and threads, but nothing seems to work for me. The Mellon module github page recommends using a config to preemptively check for credentials, but in my case, credentials do not exist yet, and any IF statements executed would happen before I can retrieve them.
Essentially, I would like to do this:
User visits site
Apache checks for LDAP username credentials through Kerberos/GSSAPI
If Kerberos credentials do not exist, try to mauthenticate through SAML/Mellon
I do not know ahead of time which users' information will be available in my local AD server or attempting to access externally.
I would like to keep this on the Apache side if possible, though I may have to relent and run SimpleSAML or something after Apache authenticates.
I am expecting to have an authentication fallback of Kerberos to SAML in my Apache config. Currently, Apache defaults to the last authentication method listed in the config file. I would like an either/or scenario, depending on whether the first authentication method is able to obtain a valid user.
Any ideas, thoughts, solutions, criticisms appreciated.

Disable authentication for an app cloudflare

I have a server and I make a tunnel with cloudflare to be able to access from outside creating an application in Cloudflare Zero Strust and I am trying to disable all the policies so that it allows me to access the application without authentication.
But nothing works, whenever I try to enter my linkstream.domain.org application, it asks me for authentication via email.
The reason is that this application allows me to play streams so I don't want it to have authentication to access.
I've searched and configured everything, but I can't remove this authentication from cloudflare:
Cloudflare Access is a product that can be used to add authentication to an application. If you want your application to be public (i.e. no authentication), I'd recommend not adding it to Access at all. You can set up a Cloudflare Tunnel without adding any Access application, for example to expose a webserver to the public.
I'd recommend looking also at the Allow policies.

Can a single Kentico site external authentication for one section, internal for another portion, and then no authentication for yet another

This is all with v8.2, with plan to migrate to 9 at a later date
Here's what we're looking into. To access one folder, users would need have AD authentication, for two other folders, user would need to authentication via Kentico's user management. The rest of the site would be wide open.
We also need to ensure any bookmarked URLs send the user to the correct authentication method, if applicable.
I'm digging further in to the documentation for this too.
Yes this can happen. You'd need to enable/setup Mixed Mode Authentication within Kentico.
Secondly, for ensuring proper access to specific nodes in your site, I'd default to whatever more pages need; either require authentication or not. So if the majority of your pages required authentication, then on the master page level in the Properties>Security, set Access to require authentication. This will then propagate through the rest of the site.
For each of the nodes which are "public" simply go to the parent node Properties>Security and set Access to not require authentication.

How to set different web authentication mode for different database in Lotus Domino

Disclaimer: I'm not a Notes admin, I just wrote the application :), and I try to help our client to use it.
We provide a simple database with one agent to accept and process HTTP POST messages from Internet.
The Domino server where this database is going to be installed is configured for Single SignOn authentication for web access.
Is there a way so set only our database to use different type of authentication - i.e. Basic Authentication, so we can hit it like this to POST messages to the agent:
http://username:password#my.domino.server/mydb.nsf/myagent
I thought about another approach as well - to remove any form of auth, and pass the credentials in the POSTed data itself. Then the agent will take care to process or not the data, base on if the creds are OK. But this most probably will require some form of "impersonation" - I.e. to map somehow the anonymous user to the one, which has the rights to execute the agent. So, I valid answer to this question may be an advise how to set this up.
Additionally - we are looking at the web service approach (available in Domino 7.0+), but it will require changes on both sides - the sender (our publisher service) and the receiving agent. And most probably will lead back to the original question about how to authenticate the sender.
Any advice in that regard (even changing the approach) will be highly appreciated.
Cheers
Since Domino 7.0.2 there is a new kind of website rule entitled "Override Session Authentication" that allows you to specify, for a specific URL pattern (ex : /folder/myapp.nsf/myagent?*) to use BASIC auth even if the whole server is configured for session-based auth.
This was initially introduced for RSS readers (that cannot handle sessions).
More information here :
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_OVERRIDING_SESSION_AUTHENTICATION_8847_STEPS.html
Although it's horribly insecure to allow this, it is possible using web site documents on the server.
Create a website document that has basic authentication for your database (it will need it's own domain name) and then everyone else can access the server through the default website document which uses session authentication.
I'd suggest adding Anonymous to the ACL of the database, with No access and nothing but Read public documents checked. Then, you can grant access to the agent by checking Allow Public Access users to view and run this agent in the Agent properties.
I don't know if it is possible to get the Authorization header into the agent to check the authentication. If there are only two parties communicating I would compute a hash of the message, a timestamp and a shared secret and use that to check access.
Edit
You won't be able to parse the Authorization header manually. Domino (at least 7.0.3) tries to do a session authentication if your request contains an authorization header, regardless of access settings on the object you request.
Here, put that URL in your Favorites toolbar :
http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/welcome_Domino_8_5_3.html
Also did you know that your Notes client and Domino Server come with help databases full of very adequate documents ? Try the [Help] menu for starters.
Then, said help databases are usually in the aptlty named "help" folder". Open them.

NT authentication login

I am working on a site where users can login to get more private information.
My client has another site else where that uses nt authentication for accessing it.
What they want to do is have a button on the site I am working on under the private area that will send them to the nt authenticated site, but not require them to log on to that site instead passing the username and password that they used to log into my site to the other site for them.
Is it possible to do this? and how would I accomplish it? Is there a better way to do this?
Here's an (untested) theory, the details of which will greatly depend on what types of authentication the Sharepoint site will accept. I'll tackle Basic, since it's the easiest.
You'll write out some JavaScript that uses XMLHttpRequest to submit a request to the Sharepoint site, and add their username and password to the request headers. Their browser will run that JavaScript, and get logged into the Sharepoint site.
Now, when they click the link, the client's browser should have the cached credentials to send to the Sharepoint site.
Possible issues:
XMLHttpRequest does not allow cross domain auth
Browser and XHR don't share auth info
Sharepoint and XHR can't agree on auth method
Another option is to proxy the connection to Sharepoint, which allows you to login server side (bypassing XHR limitations and browser security) - but requiring load on your server and possibly some URL target issues.
How will the other site validate your username and password?
Ideally your site shouldn't even be remembering the user's password to be able to pass it to another site (you store hashes of the password, not the password itself, and only use the actually password during validation).
What if your site provided a token to the user, who presents that token to the new site, which in turn asks your site to validate the token. Basically the second site is trusting you to tell them who the user is.
This all breaks down if the second site is actually using the Windows accounts for anything other than just retrieving a user name (for example permissions on the underlying file), since the user is not logged on as the actual Windows user account in this scenario.
If you need to authenticate against the second site, you may need to spawn a new thread and call the windows LogonUser API. Once you have the security token, assign it to the new thread and do your connection via that thread.
LogonUser requires enhanced privileges, and isn't Managed code, so there are some pretty severe hiccups to using it. But that's been the only work around I've been able to find to get a Forms authenticated site talking to a Windows Authenticated Service/Site.
Hope this helps.
Is this an intranet environment? If so they shouldn't have to login anyways. If sharepoint is setup using "Integrated Authentication" and the site is listed as a trusted site in IE, the browser will use there network cred for auto login. This can be setup on firefox as well.
Your users will not be able to connect to the NTLM site directly without getting an NTLM challenge. I would write what would effectively be a proxy to the NTLM site; i.e your server-side code will have credentials to connect to the NTLM site, and it passes through the requests from your users.
As you mention it's SharePoint (spit) bear in mind that SharePoint has a bunch of Web Services you could use for this (rather than doing screen-scraping).